Twitter announced yesterday that starting March 20, it will only allow its users to secure their accounts with two-factor authentication via SMS if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password, then an additional “factor” like a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing this option for unpaid users has left security experts scratching their heads.
Twitter’s two-factor decision is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid Twitter Blue service – the only way to get a verified blue tick on Twitter accounts currently – costs $11 a month on Android and iOS and less for a desktop-only subscription. Users booted from SMS-based two-factor authentication will have the option to switch to an authenticator app or physical security key.
“While historically a popular form of 2FA, sadly we have seen phone number-based 2FA being used – and abused – by bad actors,” Twitter wrote in a post. blog post posted last night. “So, starting today, we will no longer allow accounts to sign up for the SMS/SMS method of 2FA unless they are subscribed to Twitter Blue.”
See more
In a July 2022 account security report, Twitter said only 2.6% of its active users have enabled any type of two-factor authentication. Of these users, almost 75% were using the SMS version. Nearly 29% were using authenticator apps and less than 1% had added a physical authentication key.
SMS two-factor authentication is insecure because attackers can hijack targets’ phone numbers or use other techniques to intercept texts. But security experts have long pointed out that using two-factor SMS is significantly better than not enabling a second factor at all.
Increasingly, tech giants like Apple and Google have phased out the two-factor SMS option and transitioned users (usually over months or years) to other forms of authentication. Researchers fear Twitter’s policy change could confuse users by giving them so little time to complete the transition and making two-factor texting appear as a premium feature.
“Twitter Blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I recognize that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon’s Privacy and Usable Security Lab. “But if their motivation is security, wouldn’t they also want to secure paid accounts? It makes no sense to allow the less secure method for paid accounts only.
While the company says its two-factor changes will be rolling out in mid-March, Twitter users with two-factor texting enabled yesterday began encountering a pop-up overlay screen that advised them to remove both factors altogether or switch to “the authenticator application or security key methods.
It’s unclear what will happen if users don’t opt out of two-factor texting before the new deadline. The in-app message to users implies that people who still have two-factor SMS enabled when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove two-factor authentication from text messages by March 19, 2023,” the notification read. But Twitter’s blog post says the double factor will simply be disabled on March 20 if users don’t adjust it by then. “After March 20, 2023, we will no longer allow non-Twitter Blue subscribers to use SMS as a 2FA method,” the company wrote. “At that time, accounts with SMS 2FA still enabled will have it disabled.”
Twitter did not return a request for comment on what will happen to accounts that still have two-factor texting enabled on March 20. The company also did not respond to questions about whether the policy change could result in a material loss of two factors. adoption on the platform.
“On the face of it, this seems like a good level of concern for user safety, but if you pay for Twitter Blue and are therefore a customer who takes your use of Twitter seriously and who Twitter should care about most, you can continue to use this less secure authentication method. Huh?” says Jim Fenton, independent identity privacy and security consultant. something that is supposed to improve user safety and have done the exact opposite.”
On Friday night, the “T(w)itter Takeover News” Twitter account echoed the company’s comments about abuse of phone number-based 2FA by scammers. The account tweeted that “Twitter changed its policies… regarding SMS-based 2FA because telcos used bot accounts to pump 2FA SMS. They were losing $60 million a year with fraudulent text messages. Shortly after, Elon Musk’s Twitter account replied, “Yup.”
Musk has long said he is at war with Twitter bots, but struggles to separate the legitimate bots from the malicious ones. Meanwhile, Twitter’s two-factor SMS mechanism experienced outages and reliability issues in mid-November amid chaos within the company during the early days of Musk’s leadership.
Eliminating two-factor SMS “could very incrementally reduce Twitter’s costs by not requiring Twitter to pay a fraction of a penny to a telecom provider to send those SMS messages,” Fenton said. But he adds that the cost savings would likely be extremely minor.
Fenton also notes that this move would make more sense if Twitter also announced support for the new authentication mechanism called “passwords” that tech giants are increasingly adopting as a way to reduce users’ reliance on passwords. Passwords. “Twitter would essentially say they’re replacing a new authentication method that also doesn’t require the purchase of a hardware security key,” Fenton says. “But the Twitter Blue exception still wouldn’t make sense.”
As the situation unfolds, the big question is whether this will result in enhanced security for Twitter users’ accounts.
“I don’t think we really know if this will inspire people to go ahead and get an authenticator app or if a lot of people will just give up on 2FA,” says Carnegie Mellon’s Cranor. “Two-factor authentication in general is not widely adopted by users unless they are forced to use it. I think a lot of other companies will be watching to see if banning 2FA SMS is a good idea or not.
Whether Twitter is transparent about the impacts of the changes and publishes updated stats is another matter altogether.